Overview
Deloitte completed a comprehensive no‑logs assessment of NordVPN at the end of 2025, covering the standard VPN, Double VPN, Onion Over VPN, and obfuscated servers. The audit, performed under the ISAE 3000 (Revised) framework, marks the sixth independent verification of NordVPN’s privacy claims.
Audit Methodology
Auditors conducted a month‑long review (Nov 10 – Dec 12 2025) that included:
- Interviews with NordVPN staff
- Examination of configuration files
- Inspection of live system logs
The ISAE 3000 standard requires rigorous evidence collection, independent verification, and documentation of control effectiveness.
Key Findings
The Deloitte team confirmed that NordVPN does not track or log any user traffic. Specific observations include:
- No retention of IP addresses, timestamps, bandwidth usage, or session identifiers.
- Uniform no‑logs controls applied across all service types (standard, Double VPN, Onion Over VPN, obfuscated).
- Consistent implementation of privacy controls over multiple audit cycles.
Significance in the VPN Market
While many VPN providers claim “no‑logs,” few undergo repeated, third‑party audits. NordVPN’s six successful assessments demonstrate a sustained commitment to transparency and set a benchmark for industry best practices.
Statement from NordVPN
“The sixth independent assessment demonstrates our commitment to upholding our no‑logs promise year after year, under rigorous examination,” said Marijus Briedis, CTO at NordVPN.
Conclusion
Deloitte’s audit reinforces NordVPN’s position as a privacy‑focused VPN service that reliably delivers on its no‑logs promise across all its offerings, providing users with confidence in the protection of their online activity.